Access control with IAM

This page provides information on Identity and Access Management (IAM) roles and permissions for BigQuery. Before you configure access control for BigQuery, you can familiarize yourself with how to manage access to Google Cloud with IAM.

You might also need detailed guidance for roles and permissions for the following BigQuery services:

BigQuery ML

Overview

When an identity (a user or service account) calls a Google Cloud API, BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the BigQuery IAM roles that you can grant to identities to access BigQuery resources.

IAM role types

You can manage the following types of roles in IAM:

Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
Custom roles provide access according to a user-specified list of permissions.

To determine if one or more permissions are included in a role, you can use one of the following methods:

When you assign multiple role types to a user, the permissions granted are a union of each role's permissions.

For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the IAM documentation.

For information on creating custom roles, see Creating and managing custom roles in the IAM documentation.

BigQuery permissions and predefined IAM roles

Permissions are not assigned directly to users, groups, or service accounts. Instead, users, groups, or service accounts are granted access to predefined or custom roles to give them permissions to perform actions on resources.

You can grant access at the following BigQuery resource levels:

organization or Google Cloud project level
dataset level
table or view level

Roles applied at an organization or Cloud project level

When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to access all of a project's BigQuery resources.

Roles applied at a dataset level

You can assign roles at the dataset level to provide access to a specific dataset, without providing complete access to the project's resources. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. For more information on assigning roles at the dataset level, see Controlling access to datasets.

Roles applied to individual resources within datasets

You can assign roles individually to certain types of resources within datasets, without providing complete access to the dataset's resources.

Roles can be applied to individual resources of the following types:

tables
views

Roles cannot be applied to individual resources of the following types:

routines
models

For more information on assigning roles at the table or view level, see Controlling access to tables or views.

BigQuery permissions

The following table describes the permissions available in BigQuery.

Permission	Description
`bigquery.bireservations.get`	Read BI Engine reservations.
`bigquery.bireservations.update`	Update BI Engine reservations.
`bigquery.capacityCommitments.create`	Create a capacity commitment in the project.
`bigquery.capacityCommitments.delete`	Delete a capacity commitment.
`bigquery.capacityCommitments.get`	Retrieve details about a capacity commitment.
`bigquery.capacityCommitments.list`	List all capacity commitments in a project.
`bigquery.capacityCommitments.update`	Update all capacity commitments in a project.
`bigquery.config.update`	Create a configuration.
`bigquery.config.get`	Get details about a configuration.
`bigquery.connections.create`	Create new connections in a project.
`bigquery.connections.delete`	Delete a connection.
`bigquery.connections.get`	Get connection metadata. Credentials are excluded.
`bigquery.connections.list`	List connections in a project.
`bigquery.connections.update`	Update a connection and its credentials.
`bigquery.connections.updateTag`	Update tags for a connection.
`bigquery.connections.use`	Use a connection configuration to connect to a remote data source.
`bigquery.connections.delegate`	Delegate connection to create authorized external tables and remote functions.
`bigquery.dataPolicies.create`	Create new data policies. This permission is in preview.
`bigquery.dataPolicies.delete`	Delete data policies. This permission is in preview.
`bigquery.dataPolicies.get`	Get metadata about data policies. This permission is in preview.
`bigquery.dataPolicies.getIamPolicy`	Read a data policy's IAM permissions. This permission is in preview.
`bigquery.dataPolicies.list`	List data policies in a project. This permission is in preview.
`bigquery.dataPolicies.maskedGet`	View the masked data of a column that has a policy tag associated with a data policy. This permission is in preview.
`bigquery.dataPolicies.setIamPolicy`	Set a data policy's IAM permissions. This permission is in preview
`bigquery.dataPolicies.update`	Update metadata for a data policy. This permission is in preview.
`bigquery.datasets.create`	Create new empty datasets.
`bigquery.datasets.createTagBinding`	Create tag bindings on a dataset.
`bigquery.datasets.delete`	Delete a dataset.
`bigquery.datasets.deleteTagBinding`	Delete tag bindings on a dataset.
`bigquery.datasets.get`	Get metadata about a dataset.
`bigquery.datasets.getIamPolicy`	Read a dataset's IAM permissions.
`bigquery.datasets.link`	Create a linked dataset.
`bigquery.datasets.listTagBindings`	List tag bindings on a dataset.
`bigquery.datasets.setIamPolicy`	Change a dataset's IAM permissions.
`bigquery.datasets.update`	Update metadata for a dataset.
`bigquery.datasets.updateTag` (beta)	Update tags for a dataset.
`bigquery.jobs.create`	Run jobs (including queries) within the project.
`bigquery.jobs.get`	Get data and metadata on any job.¹
`bigquery.jobs.list`	List all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted.
`bigquery.jobs.listAll`	List all jobs and retrieve metadata on any job submitted by any user.
`bigquery.jobs.listExecutionMetadata` (beta)	List all job execution metadata (without sensitive information) on any job submitted by any user. It can only be applied at the organization level and is used by Admin UI.
`bigquery.jobs.delete`	Delete metadata for a job.
`bigquery.jobs.update`	Cancel any job.¹
`bigquery.models.create`	Create new models.
`bigquery.models.delete`	Delete models.
`bigquery.models.getData`	Get model data. To get model metadata, you need `bigquery.models.getMetadata`.
`bigquery.models.getMetadata`	Get model metadata. To get model data, you need `bigquery.models.getData`.
`bigquery.models.list`	List models and metadata on models.
`bigquery.models.updateData`	Update model data. To update model metadata, you need `bigquery.models.updateMetadata`.
`bigquery.models.updateMetadata`	Update model metadata. To update model data, you need `bigquery.models.updateData`.
`bigquery.models.export`	Export a model.
`bigquery.readsessions.create`	Create a new read session via the BigQuery Storage Read API.
`bigquery.readsessions.getData`	Read data from a read session via the Storage Read API.
`bigquery.readsessions.update`	Update a read session via the Storage Read API.
`bigquery.reservations.create`	Create a reservation in a project.
`bigquery.reservations.delete`	Delete a reservation.
`bigquery.reservations.get`	Retrieve details about a reservation.
`bigquery.reservations.list`	List all reservations in a project.
`bigquery.reservations.update`	Update a reservation's properties.
`bigquery.reservationAssignments.create`	Create a reservation assignment. This permission is required on the owner project and assignee resource. To move a reservation assignment, you need `bigquery.reservationAssignments.create` on the new owner project and assignee resource.
`bigquery.reservationAssignments.delete`	Delete a reservation assignment. This permission is required on the owner project and assignee resource. To move a reservation assignment, you need `bigquery.reservationAssignments.delete` on the old owner project and assignee resource.
`bigquery.reservationAssignments.list`	List all reservation assignments in a project.
`bigquery.reservationAssignments.search`	Search for a reservation assignment for a given project, folder, or organization.
`bigquery.rowAccessPolicies.create`	Create a new row-level access policy on a table.
`bigquery.rowAccessPolicies.delete`	Delete a row-level access policy from a table.
`bigquery.rowAccessPolicies.getFilteredData`	Gets data in a table that you want to be visible only to the principals in a row-level access policy's grantee list. We recommend this permission only be granted on a row-level access policy resource.
`bigquery.rowAccessPolicies.list`	List all row-level access policies on a table.
`bigquery.rowAccessPolicies.overrideTimeTravelRestrictions`	Access historical data for a table that has, or has previously had, row-level access policies.
`bigquery.rowAccessPolicies.getIamPolicy`	Get a row access policy's IAM permissions.
`bigquery.rowAccessPolicies.setIamPolicy`	Set the row access policy's IAM permissions.
`bigquery.rowAccessPolicies.update`	Re-create a row-level access policy.
`bigquery.routines.create`	Create new routines (functions and stored procedures).
`bigquery.routines.delete`	Delete routines.
`bigquery.routines.get`	Get routine definitions and metadata.
`bigquery.routines.list`	List routines and metadata on routines.
`bigquery.routines.update`	Update routine definitions and metadata.
`bigquery.routines.updateTag`	Update tags for a routine.
`bigquery.savedqueries.create`	Create saved queries.
`bigquery.savedqueries.delete`	Delete saved queries.
`bigquery.savedqueries.get`	Get metadata on saved queries.
`bigquery.savedqueries.list`	List saved queries.
`bigquery.savedqueries.update`	Update saved queries.
`bigquery.tables.create`	Create new tables.
`bigquery.tables.createIndex`	Create search indexes on tables.
`bigquery.tables.createSnapshot`	Create new table snapshots.
`bigquery.tables.delete`	Delete tables.
`bigquery.tables.deleteIndex`	Drop search indexes on tables.
`bigquery.tables.deleteSnapshot`	Delete table snapshots.
`bigquery.tables.export`	Export table data out of BigQuery.
`bigquery.tables.get`	Get table metadata. To get table data, you need `bigquery.tables.getData`.
`bigquery.tables.getData`	Get table data. This permission is required for querying table data. To get table metadata, you need `bigquery.tables.get`.
`bigquery.tables.getIamPolicy`	Read a table's IAM policy.
`bigquery.tables.list`	List tables and metadata on tables.
`bigquery.tables.restoreSnapshot`	Restore table snapshots.
`bigquery.tables.setCategory`	Set policy tags in table schema.
`bigquery.tables.setIamPolicy`	Change a table's IAM policy.
`bigquery.tables.update`	Update table metadata. To update table data, you need `bigquery.tables.updateData`.
`bigquery.tables.updateData`	Update table data. To update table metadata, you need `bigquery.tables.update`.
`bigquery.tables.updateTag` (beta)	Update tags for a table.
`bigquery.transfers.get`	Get transfer metadata.
`bigquery.transfers.update`	Create, update, and delete transfers.

¹ For any job you create, you automatically have the equivalent of the bigquery.jobs.get and bigquery.jobs.update permissions for that job.

BigQuery predefined IAM roles

The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Role Permissions

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views Contains 18 owner permissions	bigquery.bireservations.* bigquery.bireservations.get bigquery.bireservations.update bigquery.capacityCommitments.* bigquery.capacityCommitments.create bigquery.capacityCommitments.delete bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.capacityCommitments.update bigquery.config.* bigquery.config.get bigquery.config.update bigquery.connections.* bigquery.connections.create bigquery.connections.delegate bigquery.connections.delete bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.connections.update bigquery.connections.updateTag bigquery.connections.use bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.datasets.create bigquery.datasets.createTagBinding bigquery.datasets.delete bigquery.datasets.deleteTagBinding bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.link bigquery.datasets.listTagBindings bigquery.datasets.setIamPolicy bigquery.datasets.update bigquery.datasets.updateTag bigquery.jobs.* bigquery.jobs.create bigquery.jobs.delete bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.jobs.update bigquery.models.* bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.models.updateTag bigquery.readsessions.* bigquery.readsessions.create bigquery.readsessions.getData bigquery.readsessions.update bigquery.reservationAssignments.* bigquery.reservationAssignments.create bigquery.reservationAssignments.delete bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.* bigquery.reservations.create bigquery.reservations.delete bigquery.reservations.get bigquery.reservations.list bigquery.reservations.update bigquery.routines.* bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.routines.updateTag bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.savedqueries.create bigquery.savedqueries.delete bigquery.savedqueries.get bigquery.savedqueries.list bigquery.savedqueries.update bigquery.tables.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.setCategory bigquery.tables.setIamPolicy bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.* bigquery.transfers.get bigquery.transfers.update bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) Contains 2 owner permissions	bigquery.connections.* bigquery.connections.create bigquery.connections.delegate bigquery.connections.delete bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.connections.update bigquery.connections.updateTag bigquery.connections.use
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.models.updateTag bigquery.routines.* bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.routines.updateTag bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View Contains 11 owner permissions	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.datasets.create bigquery.datasets.createTagBinding bigquery.datasets.delete bigquery.datasets.deleteTagBinding bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.link bigquery.datasets.listTagBindings bigquery.datasets.setIamPolicy bigquery.datasets.update bigquery.datasets.updateTag bigquery.models.* bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.models.updateTag bigquery.routines.* bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.routines.updateTag bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.setCategory bigquery.tables.setIamPolicy bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy Contains 1 owner permission	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* bigquery.readsessions.create bigquery.readsessions.getData bigquery.readsessions.update resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources. Contains 3 owner permissions	bigquery.bireservations.* bigquery.bireservations.get bigquery.bireservations.update bigquery.capacityCommitments.* bigquery.capacityCommitments.create bigquery.capacityCommitments.delete bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.capacityCommitments.update bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservationAssignments.create bigquery.reservationAssignments.delete bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.* bigquery.reservations.create bigquery.reservations.delete bigquery.reservations.get bigquery.reservations.list bigquery.reservations.update recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsInsights.update recommender.bigqueryCapacityCommitmentsRecommendations.* recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.bigqueryCapacityCommitmentsRecommendations.update resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions. Contains 1 owner permission	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservationAssignments.create bigquery.reservationAssignments.delete bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.* bigquery.reservations.create bigquery.reservations.delete bigquery.reservations.get bigquery.reservations.list bigquery.reservations.update resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions. Contains 1 owner permission	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.readsessions.create bigquery.readsessions.getData bigquery.readsessions.update bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
Masked Reader ^Beta (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns Contains 1 owner permission	bigquery.dataPolicies.maskedGet

BigQuery Admin

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

Datasets
Row access policies
Tables
Views

Contains 18 owner permissions

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection Admin

(roles/bigquery.connectionAdmin)

Contains 2 owner permissions

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

BigQuery Connection User

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

BigQuery Data Editor

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Owner

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

Contains 11 owner permissions

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Filtered Data Viewer

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

Contains 1 owner permission

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

Project

bigquery.config.get

bigquery.jobs.create

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Metadata Viewer

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

List tables and views in the dataset.
Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Read Session User

(roles/bigquery.readSessionUser)

Access to create and use read sessions

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Admin

(roles/bigquery.resourceAdmin)

Administer all BigQuery resources.

Contains 3 owner permissions

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Editor

(roles/bigquery.resourceEditor)

Manage all BigQuery resources, but cannot make purchasing decisions.

Contains 1 owner permission

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Viewer

(roles/bigquery.resourceViewer)

View all BigQuery resources but cannot make changes or purchasing decisions.

Contains 1 owner permission

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery User

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

resourcemanager.projects.get

resourcemanager.projects.list

Masked Reader ^Beta

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

Contains 1 owner permission

bigquery.dataPolicies.maskedGet

BigQuery custom roles

To create a custom IAM role for BigQuery, follow the steps outlined in the IAM custom roles documentation.

BigQuery basic roles

For information on BigQuery basic roles, see BigQuery basic roles and permissions.

What's next

See the BigQuery access control examples.
For more information about assigning roles at the dataset level, see Controlling access to datasets.
For more information about assigning roles at the table or view level, see Controlling access to tables and views.

Access control with IAM

Overview

IAM role types

BigQuery permissions and predefined IAM roles

Roles applied at an organization or Cloud project level

Roles applied at a dataset level

Roles applied to individual resources within datasets

BigQuery permissions

BigQuery predefined IAM roles

BigQuery Admin

BigQuery Connection Admin

BigQuery Connection User

BigQuery Data Editor

BigQuery Data Owner

BigQuery Data Viewer

BigQuery Filtered Data Viewer

BigQuery Job User

BigQuery Metadata Viewer

BigQuery Read Session User

BigQuery Resource Admin

BigQuery Resource Editor

BigQuery Resource Viewer

BigQuery User

Masked Reader Beta

BigQuery custom roles

BigQuery basic roles

What's next

Masked Reader ^Beta